10# Legitimate interest assessment & Consent management

Okay, since the latest post, you have hopefully found out if you will apply consent or legitimate interest for some of your processing activities. Then this post is for you. The first half of this post will be about legitimate interest assessments, while the other half will be about consent and consent management. If you recall, I used the old Article 29 Working Party’s opinion on legitimate interest last week, which is relevant for this post, as well as EDPB’s guidelines on consent.

As a controller who decided to apply legitimate interest as the legal basis, you must carry out legitimate interest assessments (LIA). The LIA should be done for every processing activity that uses legitimate interest as a legal basis. The LIA should be done after you have determined the purpose of the processing and before you start processing. Depending on the circumstances, you might consider carrying out a data protection impact assessment (DPIA). Of course, your reasoning should be documented. Both LIA and DPIA can be carried out in DPOrganizer’s assessment module. Essentially, the legitimate interest assessment is a three-step test that consists of:

1. Identifying a legitimate interest. You should first determine your or another party’s legitimate interest. Keep in mind that the notion of interest is different from the notion of purpose. Purposes are specific to data processing, while interest takes a broader stance, looking at the benefits at large. Legitimate interests might be either trivial, like general business benefits, or more compelling, like interests beneficial to society at large. It could be a combination of different legitimate interests. A legitimate interest cannot be vague or speculative.
2. Proving that the processing activity is necessary as means to the ends that is the interest. You need to assess whether the processing is necessary for the purposes that your legitimate interests pursued, and that there aren’t less intrusive ways to achieve these purposes. Therefore, you shouldn’t assess the necessity from the perspective of your chosen method, but rather from your chosen interest.
3. Weighting the legitimate interest against the interest or fundamental rights and freedoms of the data subjects to determine if the legitimate interest overrides the data subject’s interests. The assessment includes an estimation of the risk for the data subjects, i.e., the probability and the severity. You should also contemplate how processing will take place. In particular:
   1. How many recipients the data will be shared with
   2. If the data will be combined with other data
   3. If you will be using profiling or automatic decision-making
   4. If children or other vulnerable data subjects are involved

We also think that you should think about the data subject’s reasonable expectations, risk mitigation measures and safeguards to minimise the impacts on the data subject, and give the data subjects an opportunity to opt-out of processing. Remember that every negative impact isn’t prohibited – only those that lead to a disproportionately negative impact.

Now, onwards to the next part about consent management. According to recital 42 of the regulations, the controller should be able to demonstrate that the data subject has given consent to the processing operation if the processing is based on the data subject’s consent. There should be appropriate safeguards to ensure that the data subject is aware of the fact that, and the extent to which, consent is given. Pre-formulated consent forms should be provided in an intelligible and easily accessible form, using clear and plain language, and should not contain unfair terms.

The matter of consent management interweaves a lot of different data protection principles, like lawfulness, fairness and transparency, accountability, and purpose limitation. The essential part is that the controller has to have evidence of consent. Who consented, when and how? What information did you as the controller give to the data subject at the time of consent, so they were properly informed?

As covered in the previous post, the GDPR sometimes requires explicit consent, which means that the data subject must give an expressed statement of consent. Ways to obtain explicit consent could be:

• written statement
• filling out an electronic form
• e-mail from the data subject
• uploading a scanned document with the signature of the data subject
• using e-signature
• oral statement (although difficult to obtain evidence of consent)
• through a phone conversation with a specific confirmation from the data subject (e.g., pressing a button)
• two-stage verification of consent

This is where consent management comes into play, since you are obligated to demonstrate consent and to provide the possibility to withdraw consent. It’s highly recommended to handle these questions of proof of consent through a system for consent management or a registry of some sort. It’s also important that the processing based on consent takes place after consent is given by the data subject. That means you need to restrain yourself from collecting the personal data.

How long will a consent last? That’s not a usual question to ponder, but it is relevant in the context of the GDPR. There are two considerations to this point. Firstly, the EDPB considers that it is best practice to obtain a new consent at appropriate intervals to keep the data subjects informed about the processing operations. The second thing is that consent can be visualised by a Venn diagram with two overlapping circles. One circle is what the data subject consented to, and the other is the actual processing operation. Ideally, they overlap entirely, but if they are diverging too much the consent won’t be valid any more and the consent needs to be renewed. The consent tool should be able to at least handle the first aspect.

The consent management tool should also be able to handle the withdrawal of the data subject’s consent. If withdrawals happens, you should stop processing up until the point of withdrawal. All processing activities before it will still lawful. Although, to retain the data you will need to find another lawful basis for the processing, for example, legitimate interest.

So, with this post, I have finished talking about lawfulness and the GDPR. As usual, if you have any questions, you can reach me at albin.thelin@nulldporganizer.com. Have a nice week!